In February 2024, Rapid7’s vulnerability research team identified two new vulnerabilities affecting JetBrains TeamCity CI/CD server:
German police seized the largest German-speaking cybercrime marketplace Crimemarket and arrested one of its operators.
The ALPHV/BlackCat ransomware gang has shut down its servers amid claims that they scammed the affiliate responsible for the attack on Optum, the operator of the Change Healthcare platform, of $22 million.
The transaction, visible on Bitcoin's blockchain, suggests the victim of one of the worst ransomware attacks in years may have paid a very large ransom.
Russia has been accused of attempting to inflame divisions in Germany by publishing an intercepted conversation in which Bundeswehr officials discuss the country’s support for Ukraine, particularly around the supply of Taurus cruise missiles.
The 38-minute conversation, which took place on February 19, was first published on social media platform Telegram by Margarita Simonyan, the editor-in-chief of RT and a sanctioned propagandist, who said the recording had been provided to her by “comrades in uniform.”
Non-techies told to master firmware upgrades and firewall rules. For the infosec hardheads: have some IOCs
The gang claimed responsibility for a high-profile attack against Change Healthcare Wednesday.
Walmart and Temu pulled the affected doorbell cameras from their stores. Amazon and others have taken no action.
The FBI’s takedown of the LockBit ransomware group last week came as LockBit was preparing to release sensitive data stolen from government computer systems in Fulton County, Ga. But LockBit is now regrouping, and the gang says it will publish the stolen Fulton County data on March 2 unless paid a ransom. LockBit claims the cache includes documents tied to the county’s ongoing criminal prosecution of former President Trump, but court watchers say teaser documents published by the crime gang suggest a total leak of the Fulton County data could put lives at risk and jeopardize a number of other criminal trials
Lending firm LoanDepot said the personal information of 16.9 million individuals was stolen in a ransomware attack in early January 2024.
Patients having trouble getting lifesaving meds have the AlphV crime group to thank.
The idea is simple; take advantage of the typos that people make when they enter email addresses. If we positioned ourselves in between the sender of an email (be it a person or a system) and the legitimate recipient, we may be able to capture plenty of information about the business, including personally identifiable information, email verification processes, etc. This scenario is effectively a Person-in-the-Middle (PiTM), but for email communications.
German chancellor promises probe after leak of officers discussing the supply of long-range missiles.
Learn about NoName057(16), a pro-Russian hacktivist group behind Project DDoSia targeting entities supporting Ukraine. Discover an overview of the changes made by the group, both from the perspective of the software shared by the group to generate DDoS attacks and the specifics of the evolution of the C2 servers. It also provides an overview of the country and sectors targeted by the group for 2024.
Security researchers created an AI worm in a test environment that can automatically spread between generative AI agents—potentially stealing data and sending spam emails along the way.
GitHub keeps removing malware-laced repositories, but thousands remain.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed today that attackers who hack Ivanti VPN appliances using one of multiple actively exploited vulnerabilities may be able to maintain root persistence even after performing factory resets.
Dans la plupart des cas, les attaquants n’ont pas tenté d’aller plus loin, sauf quelques exceptions. Il s’agissait vraisemblablement pour les attaquants de mettre d’abord un premier pied chez leur cible.
Based upon the authoring organizations’ observations during incident response activities and available industry reporting, as supplemented by CISA’s research findings, the authoring organizations recommend that the safest course of action for network defenders is to assume a sophisticated threat actor may deploy rootkit level persistence on a device that has been reset and lay dormant for an arbitrary amount of time. For example, as outlined in PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure), sophisticated actors may remain silent on compromised networks for long periods. The authoring organizations strongly urge all organizations to consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment.
Discover our TDR team's revelations about Predator spyware: its C2 infrastructure and list of countries still using its cyber espionage tool.
